Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
a
A
05/04/2022, 12:51 PMHi, I was trying to find information regarding data collection. Do you perhaps have any information about that? And maybe osquerys take on GDPR?
a
alessandrogario
05/04/2022, 1:04 PMIs this maybe more like a fleet management solution question (about maybe audit logs, and things automatically acquired on user machines)? osquery itself is just a data collection tool and what you acquire depends on what kind of queries are being run and where (a server, a personal machine, or a company laptop)
You may also have extensions installed that include additional capabilities not covered by the core tables
a
A
05/04/2022, 1:15 PMI was thinking of, if I download the app on a mac does my data that is collected end up in the cloud or such? π
a
alessandrogario
05/04/2022, 1:16 PMIt is up to you or the person that configures osquery
It does not send anything anywhere on its own
osqueryiosqueryd -Sosqueryda
A
05/04/2022, 1:17 PMPerfect! Thank you for the info!
fyi. @Daniel_
a
alessandrogario
05/04/2022, 1:17 PMbut sensitive data (if any) is likely in the results log, and that depends on what queries are running
queries are run from query packs, from adhoc queries (through a fleet management solution, such as Kolide or fleetdm)
a
A
05/04/2022, 1:18 PMWe are looking for an alternative for sysmon but for Mac!
a
alessandrogario
05/04/2022, 1:19 PMfrom distributed queries (also from fleet management solution), and from the extension socket (other osquery shells connecting to it, or osquery extensions providing additional functionality)
it all requires configuration, and the admin deploying osquery should probably know what is happening in the deployment
a
A
05/04/2022, 1:20 PMAwesome!
a
alessandrogario
05/04/2022, 1:20 PMI don't think osquery can replace sysmon, but the endpoint security based tables could provide some of the same features
a
A
05/04/2022, 1:21 PMi mean sysmon does not work for mac only windows.. we just want to see the same data in splunk for mac clients
a
alessandrogario
05/04/2022, 1:22 PMYou can see what can be gathered from endpoint security here: https://osquery.io/schema/5.2.2/#es_process_events
I know that file integrity monitoring (also based on endpoint security) is being worked on (@sharvil is the main dev on these two)
There are other, older tables, based on openbsm; I am not sure whether they are still working right now but i think the API is being deprecated
If we are talking about process events, you could capture things in the parameters that could be considered private information
For FIM, you would be looking at files opened, which would also I think fall in the same category
I am not an expert on GDPR, I think you need consent from the users and possibly you can only store that data within Europe
I think you need to talk to a lawyer to be sure, and not trust documentation as a precaution
a
A
05/04/2022, 1:26 PMSince the company own the employees computer, we're allowed to collect data. Such as what is being searched on and what people do on their computer.
a
alessandrogario
05/04/2022, 1:29 PMI think it depends potentially on what the computer is doing; if it's handling GDPR-protected data (like customer data for example) it's still in scope for GDPR laws
a
A
05/04/2022, 1:29 PMyes indeed
a
alessandrogario
05/04/2022, 1:29 PMMeaning: a company laptop may end up leaking GDPR-protected data while the employee performs their duty (like: opening personal records, etc)
So i still suggest to talk to a lawyer
a
A
05/04/2022, 1:30 PMyes π
s
seph
05/04/2022, 1:34 PMAs Alessandro said, osquery itself does nothing. It is a tool for structured data collection.
The osquery foundation does not maintain any central osquery logging. We are not a vendor that provides that service. (Though many of us do work for vendors that do)
How osquery is configured is very site specific. Both in terms of what data is collected, how itβs handled, and how thoughtful people are about the privacy implications.
Speaking as a Kolide employee (eg: a vendor), we aim to be very transparent and user focused in our data collection. I would refer you to https://honest.security for our discussion about these issues.
j
Jason
05/04/2022, 1:37 PMAs @seph said, since osquery is just a tool (and not a service) - the GDPR implications are entirely dependent on the implementation of of the service, or on the IT/engineering team implementing osquery. Standalone - as a downloadable binary, it has zero GDPR implications.
a
A
05/04/2022, 1:51 PMπ